---
title: 'Google App & Security Review'
sidebarTitle: 'Google App Review'
description: 'A detailed guide to pass your Google OAuth app review as fast as possible'
---

<Info>
    This guide assumes you already have a Google OAuth app set up. If not, follow [this guide](/integrations/all/google-mail#🧑%E2%80%8D💻-oauth-app-setup) first.
</Info>

You may also want to visit [Google's OAuth App Verification Help Center](https://support.google.com/cloud/answer/13463073?hl=en&ref_topic=13460882&sjid=6878633552635075588-EU) besides this guide.

## Do I need a review?

Most likely, yes.

Even if the review would be optional for your app, most teams opt to do it.

| Review type | Trigger | Common scopes |
| ----------- | ------- | --------------|
| Verification optional | Only "non-sensitive" scopes are used | `user.email`, `drive.file` |
| Google App verification required | 1 or more "sensitive" scopes | Most **Google Calendar** scopes, Gmail send email, Ads, Analytics, |
| Google App verification + CASA security assessment required | 1 or more ["restricted scopes"](https://support.google.com/cloud/answer/13464325?hl=en&ref_topic=13460882&sjid=4120114855682251882-EU) | **Most Gmail** (including read email), Google Chat, and **Google Drive** scopes |

To know for sure how your scopes are categorized, check your Google cloud console: _API & Services_ -> _OAuth consent screen_ -> _Data Access_

### Google App verification

This is a check done by Google to make sure you follow Google's API rules. Most apps that use Google APIs will do this review. It is one-off.

It typically **takes < 1 week if you prepare well** with this guide.

### Google App Verification + CASA security assessment

A more complex process that also includes a CASA security assessment. They run in parallel and you need to complete both for your app to be switched to production mode.

The security assessment is done by a Google approved vendor.

If you prepare with this guide, you can expect **5-20 days** from requesting review being fully verified.

If you are already SOC 2 type II (or similarly) certified, you have probably done pentests before. 5 days for CASA Tier 2 verification is feasible.

If you have never done a security audit, you may need to create the necessary documentation and patch vulnerabilities. Budget 10-20 days.

The speed also depends on you: If you fix vulnerabilities fast, and follow up daily with Google and your review vendor, you will be much faster than if you just let things run their course.

If you are pressed for time and want more tips to speed things up, [reach out to us](https://nango.dev/slack). We are happy to help 1:1.

<Info>
    If you use restricted scopes, the CASA assessment and app verification needs to be [renewed annually](https://support.google.com/cloud/answer/13463816?hl=en&ref_topic=13460882&sjid=6878633552635075588-EU). Unless you had major changes in your functionality, the renewal will be much easier.
</Info>

# Recommended process

For App verification + CASA assessment.
If you only need to do App verification, skip step 4 and 5.

1. Implement the integration in your app with your Google OAuth app in test mode
    - It's important the feature works: Google will test it end to end during the App verification
    - 100 users can authorize your app before the review is required
2. Prepare for the App verification (+ CASA assessment)
    - Pick a Google approved CASA vendor _(CASA assessment only)_
    - Run a first security scan on your app to fix low-hanging fruits _(CASA assessment only)_
3. Start the app review verification with Google
    - You will need to submit a video walkthrough and answer some questions
    - Google will start reviewing your integration. Expect back & forth on details.
4. Start the CASA assessment _(CASA assessment only)_
    - If required, Google will email you to request a CASA Tier 2 assessment shortly after you start the review process
    - Forward the email to your CASA vendor
    - Work with your CASA vendor to get validated
5. Letter of validation (LoV) & final approval _(CASA assessment only)_
    - Your CASA vendor will send an LoV to Google
    - Google will remove the "unverified" screen and unlimited users can authorize
    - Congrats, you are now verified!

## Step 1: Implement the integration in your app

It's important to have a working version of the integration before you start the review process.

As part of the app verification, Google will test your integration and verify each feature works.

They will also check that each scope you request is required by a feature of your integration. For example, if you request `https://www.googleapis.com/auth/gmail.send` Google wants to see a feature that sends an email on behalf of the user.

You can launch your integration while your Google OAuth app is still in test mode, but there are pretty severe restrictions.

We recommend you start the app verification process as soon as the integration works end to end. You can polish the UX while the review is in progress.

### Test mode restrictions
Until your app is verified:

- Users see a scary "this app is unverified" step during the OAuth flow
- Only 100 users may authorize your app in total. You cannot reset this counter or remove test users.
- OAuth tokens always expire after 7 days, forcing users to re-authorize

For apps that need both a Google review and CASA verification these restrictions are in place until both are done.

### Tips for development

- Only request scopes you need right now. If you need additional scopes in the future, add them then.
    - Google reviewers will test this and reject your application if you ask for scopes you don't use
- Use a separate OAuth app (on a different Google Cloud project) for your own development & testing. It gets its own 100 test users.
- Keep the restricted scopes count minimal and user-scoped.
    - If you ask for 10+ restricted scopes (anecdotal), or domain-wide delegation, Google may ask you to become CASA Tier 3 verified.
    - CASA Tier 3 is exponentially more work and costly, compared to Tier 2
- Test users are permanent: You cannot reset the counter or remove test users. Make sure you use the 100 test users wisely.

## Step 2: Prepare for review

For App verification, make sure you fulfill all of [Google's verification requirements](https://support.google.com/cloud/answer/13464321?hl=en&ref_topic=13460882&sjid=4120114855682251882-EU).

Both the "Brand verification requirements" and "Sensitive and Restricted Scope Requirements" are relevant (unless you only use non-sensitive scopes).

<Tip>
    Good preparation greatly accelerates your review process.

    Google takes 24-48h to answer emails. A good demo video and precise answers will save you days of back-and-forth with your reviewer.
</Tip>

Most importantly:
* Switch to a [custom callback URL in Nango](/implementation-guides/api-auth/implement-api-auth#5-setup-a-custom-oauth-callback-url-optional), and verify the domain of your callback URL in your Google Cloud project.
* Make sure your contact details in the Google Cloud console project are up to date. All communication is sent there!
* Prepare a [demo video](https://support.google.com/cloud/answer/13464321?hl=en&ref_topic=13460882&sjid=4120114855682251882-EU#:~:text=2.%20App%20functionality%20demonstration%20video) exactly as requested by Google (shows end to end flow, including OAuth flow, etc.)
* For each scope you request, prepare a [detailed justification](https://support.google.com/cloud/answer/13464321?hl=en&ref_topic=13460882&sjid=4120114855682251882-EU#:~:text=Request%20narrowest%20scopes) which includes:
    * An explanation why narrower scopes would not work, including specifics on what functionality would not work as intended. Read Google's sample justification.
    * This and the demo video are the most frequent sources of back-and-forth communication.

### Additional prep for CASA Tier 2 assessment

CASA assessments have different tiers, but the only relevant one for you here is Tier 2.

#### Run a security pre-scan
We recommend running a first security scan before you start your CASA assessment. This lets you fix obvious issues now, without the additional back-and-forth hassle with your CASA vendor.

CASA recommends [Fluidattacks](https://fluidattacks.com/) for static security scans. There is a free, open-source CLI that spins up a pre-configured docker container to run a static (SAST) scan against your codebase. [Instructions are here](https://appdefensealliance.dev/casa/tier-2/ast-guide/static-scan).

Ideally, aim for a clean output, but clear at least high and medium threats. Otherwise you will have at least 2 scan cycles during your actual assessment.

#### Pick a CASA assessment vendor
Your vendor must be listed on the [CASA Authorized Assessors](https://appdefensealliance.dev/casa/casa-assessors) list.

We have compiled a list of the most common vendors:

**[TAC Security](https://tacsecurity.com/google-casa-cloud-application-security-assessment/) (recommended)** - $540 - $720
$540 gets you two revalidation. $720 will get you unlimited revalidations. Sometimes runs 10% discounts, check their website.

A validation is a single scan and output of issues. If you do a pre-scan and fix issues first, you’ll probably only need the two validations to fix remaining issues. Try to avoid scanning again without a fix or an accepted omission for everything picked up in the first scan.

Many Nango customers have used them. They are affordable and have mostly automated the process, but make sure to check in with them daily on their communication with Google. This helps run the review as fast as possible.

**[Netsentries](https://www.netsentries.com/service/casa)** - ~$700
You need to fill in a form to get a full quote. We heard they have a more human-level touch. If you have used them please let us know, happy to add your experience here.

**[Prescient security](https://prescientsecurity.com/casa)** - $3,000+
Much more expensive but much better support and guidance throughout the process. If you already work with them from your SOC 2 or ISO 27001 audit and want guidance, try them.

Prices are as of August 2025, if you have updates, let us know.

Engage a vendor before you start your review, so you can avoid delays from back-and-forth negotiations.


## Step 3: Start the App verification

Ready? Let's go to prod!

In your GCP console go to  _API & Services_ -> _OAuth consent screen_ -> _Audience_
Under "Publishing status", click on "Publish app". Confirm the consent screen.

Now go to _Verification Center_ in the navbar and you should see a form to start the app verification process.

You may get emails from Google asking for more details. We recommend answering quickly, but diligently. Google answers within 24-48h, the fewer loops you need, the faster your app will get verified.

Note that the [test mode restrictions](#test-mode-restrictions) remain until your verification is complete.

## Step 4: Start the CASA assessment

If a CASA assessment is required, you will get an email from Google shortly after starting the App verification process. If nothing arrives after a few days, reach out to Google.

Forward this email to your CASA vendor. Some vendors will only let you start the assessment once they have the email from Google.

The CASA Tier 2 assessment has two parts:

1. Security scan (static or dynamic) of your assets
    - You get to pick which assets to scan (API, mobile app, web app, etc.)
    - You usually get the choice between a static (SAST) code scan or a dynamic, automated pen test (DAST)
    - If you pick SAST, you can prepare perfectly with Fluidattacks. The DAST might find slightly more complex issues.
2. Self-Assessment questionnaire (SAQ): About 50 questions on your security practices & setup
    - Mostly "common sense" and a repeat of what you did for SOC 2/ISO, if you have done them
    - The goal here is to answer "yes" for everything with 1-2 sentences of evidence that gives the auditor no reason to reject your questionnaire

Run the security scan and get your results. Fix the issues, or provide explanations for each issue that you deem a false positive of the scan. Make sure you get confirmation from your CASA vendor for the false positives. Repeat until the scan is clean and/or all false positives are approved by your vendor.

More tips:
- If your app is SSO only for login, and you picked a DAST scan, let your vendor know. Some DAST tools can't handle SSO and will report the app as broken immediately. Avoid the extra loop.
- Don't submit SAQ questionnaires with "no" answers in them. You can't pass with no, work on getting to yes and save yourself the extra roundtrip.

<Tip>
    Don't be afraid to get into the CASA vendor < > Google email chain if necessary.

    Some vendors have a history of not responding promptly to communications from Google. If you want to move fast, make sure you stay at the top of the inbox of both teams by following up daily and pushing for the next steps.
</Tip>

## Step 5: Letter of validation (LoV)

Once you pass all steps your CASA vendor will send a letter of validation to Google.

Google may take up to one week to process the letter and issue final approval for your App. Two Google teams are involved in this, and they may work on different tickets. Don't panic if your ticket stays open for a few days with no updates.

Once verified, Google will remove the "unverified" step from your OAuth flow and lift the 100 test users limit.

Congrats, you are now live! 🎉

<Warning>
    Don't forget the annual revalidation!

    You _should_ receive an email from Google 90 days before the validation is due. But make sure to set yourself a reminder. The validation will auto-expire with no additional reminders!
</Warning>